Login/Register
SASL vs. gssapi
Asked Answered
Solved saslgssapi
C

1

8

I am doing a project which involves authentication and I can't quite grasp the difference between SASL and gssapi. Is gssapi used under the covers of SASL? Can I use gssapi without SASL? What is the correct thing to do?

If I use libsasl, do I need to link with libgssapi_*?

Thanks.

Calculation answered 24/3, 2012 at 18:52 Comment(0)
L
6

SASL and gssapi basically solve the same problem in different ways. Both are a way to find the best common authentication method to use between two systems.

So no, gssapi isn't used under the hood in SASL, unless you use something like RFC4752

Yes, you can use gssapi without SASL, examples of that would be the typical linux machine logging into a windows AD domain via the kerberos/gssapi providers.

It all depends on what kind of authentication scenarios you have to implement, both SASL and gssapi have their uses. GSSAPI is most commonly used with the Kerberos system.

Latter answered 24/3, 2012 at 19:10 Comment(3)
thanks for the answer. Which of the two is used more often? Is one "preferred" over the other? In your example, with linux talking to AD, is SASL the "right" answer or is gssapi?Calculation
It depends. SASL is newer for sure and when using SASL with the Kerberos stuff it works just fine. The actual answer with Linux talking to AD is usually just 'Use SAMBA', as they did a lot of reverse engineering to make everything work. It really depends on your use case, for example for LDAP you can use SASL or GSSAPI or both, for HTTP it would often be silly to use SASL due to extra roundtrips, so you would use SPNEGO which is closer to gssapi, and so on, depending on your usecase.Latter
In an environment with a small number of AD interactions, it seems like you are saying that SASL is the way to go. Did I read that correctly? (I don't have any preconceived notions of SASL, SPNEGO, gssapi being right or wrong. I am just trying to figure out a direction to pursue.)Calculation

© 2022 - 2024 — McMap. All rights reserved.